P
US9912476B2ActiveUtilityPatentIndex 83

System and method for content protection based on a combination of a user PIN and a device specific identifier

Assignee: APPLE INCPriority: Apr 7, 2010Filed: Jan 29, 2016Granted: Mar 6, 2018
Est. expiryApr 7, 2030(~3.8 yrs left)· nominal 20-yr term from priority
Inventors:BROUWER MICHAEL LAMBERTUS HUBERTUSADLER MITCHELL DAVID
H04L 9/0863H04L 9/30H04L 9/0869G06F 21/62H04L 9/0894H04L 9/0643H04L 9/3231H04L 9/0861H04L 2209/80H04L 9/0838H04L 9/0866H04L 9/14
83
PatentIndex Score
4
Cited by
157
References
20
Claims

Abstract

Disclosed herein are systems, methods, and non-transitory computer-readable storage media for encryption and key management. The method includes encrypting each file on a computing device with a unique file encryption key, encrypting each unique file encryption key with a corresponding class encryption key, and encrypting each class encryption key with an additional encryption key. Further disclosed are systems, methods, and non-transitory computer-readable storage media for encrypting a credential key chain. The method includes encrypting each credential on a computing device with a unique credential encryption key, encrypting each unique credential encryption key with a corresponding credential class encryption key, and encrypting each class encryption key with an additional encryption key. Additionally, a method of generating a cryptographic key based on a user-entered password and a device-specific identifier secret utilizing an encryption algorithm is disclosed.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method for generating a master key for accessing content stored by a computing device, the method comprising:
 at a hardware module included in the computing device, wherein the hardware module is separate and distinct from a processor included in the computing device and is communicably coupled to the processor:
 receiving, from the processor, a request to generate the master key, wherein the request includes biometric data associated with a user of the computing device; 
 accessing an identifier that is unique to the computing device, wherein the identifier is directly accessible only to the hardware module within the computing device, and is stored by the hardware module in a manner that prevents software executing by way of the processor from directly accessing the identifier; 
 combining the biometric data and the identifier to produce a combined value; 
 carrying out an iterative function on the combined value to produce the master key, wherein a number of iterations associated with the iterative function is based on a selected security level; and 
 providing the master key to the processor, wherein the master key is utilized by the processor to access the content. 
 
 
     
     
       2. The method of  claim 1 , further comprising:
 receiving an indication of the security level. 
 
     
     
       3. The method of  claim 1 , wherein the identifier is indirectly-accessible to the processor via the hardware module. 
     
     
       4. The method of  claim 1 , wherein the request specifies a number of iterations to be performed on the combined value by the iterative function. 
     
     
       5. The method of  claim 4 , wherein the iterative function includes a Password-Based Key Derivation Function 2 (PBKDF2). 
     
     
       6. The method of  claim 4 , wherein the iterative function includes a Hash-based Message Authentication Code Secure Hash Algorithm 1 (HMAC-SHA1). 
     
     
       7. The method of  claim 1 , wherein the identifier is larger in size than the biometric data. 
     
     
       8. A non-transitory computer readable storage medium configured to store instructions that, when executed by a hardware module included in a computing device, cause the hardware module to generate a master key for accessing content managed by the computing device, by carrying out steps that include:
 receiving, from a processor included in the computing device, a request to generate the master key, wherein:
 the request includes biometric data associated with a user of the computing device, 
 the processor is separate and distinct from the hardware module, and 
 the processor is communicably coupled to the hardware module; 
 
 accessing an identifier that is unique to the computing device, wherein the identifier is directly accessible only to the hardware module within the computing device, and is stored by the hardware module in a manner that prevents software executing by way of the processor from directly accessing the identifier; 
 combining the biometric data and the identifier to produce a combined value; 
 carrying out an iterative function on the combined value to produce the master key, wherein a number of iterations associated with the iterative function is based on a selected security level; and 
 providing the master key to the processor, wherein the master key is utilized by the processor to access the content. 
 
     
     
       9. The non-transitory computer readable storage medium of  claim 8 , wherein the steps further include:
 receiving an indication of the security level. 
 
     
     
       10. The non-transitory computer readable storage medium of  claim 8 , wherein the steps further include:
 providing the master key to the processor for accessing content stored on the computing device. 
 
     
     
       11. The non-transitory computer readable storage medium of  claim 8 , wherein the identifier is indirectly-accessible to the processor via the hardware module. 
     
     
       12. The non-transitory computer readable storage medium of  claim 8 , wherein the request specifies a number of iterations to be performed on the combined value by the iterative function. 
     
     
       13. The non-transitory computer readable storage medium of  claim 12 , wherein the iterative function includes a Password-Based Key Derivation Function 2 (PBKDF2). 
     
     
       14. The non-transitory computer readable storage medium of  claim 12 , wherein the iterative function includes a Hash-based Message Authentication Code Secure Hash Algorithm 1 (HMAC-SHA1). 
     
     
       15. A computing device configured to generate a master key for accessing content, the computing device comprising:
 a memory that stores the content; 
 a processor, wherein the processor is configured to:
 receive a first request to access the content, wherein the first request includes biometric data associated with a user of the computing device, and 
 issue, to a hardware module included in the computing device, a second request to generate the master key based (i) on the biometric data, and (ii) an identifier that is unique to the computing device, wherein the identifier is directly accessible only to the hardware module within the computing device, and is stored by the hardware module in a manner that prevents software executing by way of the processor from directly accessing the identifier; and 
 
 the hardware module, wherein the hardware module is separate and distinct from the processor and is configured to:
 receive, from the processor, the second request, 
 access the identifier stored by the hardware module, 
 combine the biometric data and the identifier to produce a combined value; 
 carry out an iterative function on the combined value to produce the master key, wherein a number of iterations associated with the iterative function is based on a selected security level; and 
 provide the master key to the processor, wherein the master key is utilized by the processor to access the content. 
 
 
     
     
       16. The computing device of  claim 15 , wherein the processor is further configured to:
 receive an indication of the security level. 
 
     
     
       17. The computing device of  claim 15 , wherein:
 the hardware module is further configured to provide the master key to the processor, and 
 the processor is further configured to access the content using the master key. 
 
     
     
       18. The computing device of  claim 15 , wherein the identifier is indirectly-accessible to the processor via the hardware module. 
     
     
       19. The computing device of  claim 15 , wherein the second request specifies a number of iterations to be performed on the combined value by the iterative function. 
     
     
       20. The computing device of  claim 15 , wherein the identifier is larger in size than the biometric data.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.